When it comes to the WordPress Plugin Directory, security isn’t being handled well. Earlier this week we noted how a plugin was allowed back in to that despite not having come close to properly resolving a serious security vulnerability that hackers were likely targeting. That is the kind of thing that would likely lead to more in the WordPress community looking for security plugins to help protect them. In looking into how some popular WordPress security plugins are being marketed in WordPress’ plugin directory recently, we saw that developers are often making efficacy claims that are far from reality. They are making those without presenting any evidence to back them up. That seems like something that WordPress could better handle, by requiring evidence to back up any efficacy claims being made about those plugins on the plugin directory.

One of the plugins that we looked at, which is being marketed outside of what it delivers, is the web host SiteGround’s security plugin. SiteGround recently rebranded that from SiteGround Security to Security Optimizer. As we documented recently, that has what they call Advanced XSS Protection, which doesn’t offer protection, much less advanced protection. Something else we noticed while looking into that plugin is that they have that plugin tagged on the plugin directory as a web application firewall (WAF):

Not all of their tags for the plugin get shown there. Here is the full set:

security, firewall, malware scanner, web application firewall, two factor authentication, block hackers, country blocking, clean hacked site, blocklist, waf, login security, free

So two mentions of a WAF and one of a firewall.

Running contrary to that, a “SiteGround Represenative” wrote on the WordPress Support Forum that it doesn’t contain a WAF:

Just to add that the “lacking” functionality is intentionaly not added to the plugin because they are working on a server level, like bot protection and rate limiting, malware scanner, waf, etc.

They are correct that it doesn’t contain that.

Looking at the guidelines for the plugin directory, they mention tags in one of the guidelines, but it isn’t at least isn’t clearly spelled out that using inaccurate tags would be a violation:

Public facing pages, including readmes and translation files, may not be used to spam. Spammy behavior includes (but is not limited to) unnecessary affiliate links, tags to competitors plugins, use of over 12 tags total, blackhat SEO, and keyword stuffing.

 

Similarly, related products may be used in tags but not competitors. If a plugin is a WooCommerce extension, it may use the tag ‘woocommerce.’ However if the plugin is an alternative to Akismet, it may not use that term as a tag. Repetitive use of a tag or specific term is considered to be keyword stuffing, and is not permitted.

---

Plugin Security Scorecard Grade for Security Optimizer

Checked on April 3, 2025

See issues causing the plugin to get less than A+ grade